下面是我目前的nginx配置。 我正在运行带有opcache和magento 1.9.2.2的php 5.5
它有 2 个问题:
1.该网站不断重定向到https以获取所有内容。
2. 当我更新 JavaScript 或 css 文件时,我不断得到 net::ERR_SPDY_PROTOCOL_ERROR。 我可以通过重新启动nginx来解决此问题,但这只是一个解决方法...
Magento设置是:
在前端使用安全 URL"否"
在管理员"是"中使用安全网址
不安全基本网址的 http://WEBSITENAME.com
https://WEBSITENAME.com 安全基本 URL。
我希望网站前端(购物车除外)是http,后端是https。我需要进行哪些更改?我已经从几个来源拼凑了nginx会议。
任何建议或帮助将不胜感激。 我还包含指向这些文件要点的链接。 https://gist.github.com/btray77/8867aa2fddc1803bfee0
谢谢
配置文件/etc/nginx/conf.d/export.conf:
location ~ /var/export {
satisfy all;
allow 1.2.3.4;
deny all;
auth_basic "Restricted";
auth_basic_user_file .htpasswd;
autoindex off;
}
配置文件/etc/nginx/conf.d/extra_protect.conf:
## Extra protection
location ~ /(dev/tests/|errors/local.xml|cron.php) { deny all; }
location ~ ^/.*.(sh|pl|swp|phar|sql|conf|zip|tar|.+gz)$ { return 444; }
location ~ /.(svn|git|hg|htpasswd|bash|ssh) { return 444; }
location ~* /(lib|media|shell|skin)/.*.php$ { deny all; }
location ~ /(wishlist|customer|contact|review|catalogsearch|newsletter|(fire|one.+)?checkout)/ {
limit_req zone=goeasy burst=5;
limit_req_status 429;
if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|Yahoo|YandexBot") { return 410; }
try_files $uri $uri/ @rewrite;
}
## Wordpress files and locations protection
location ~ /wp-config.php { deny all; }
location ~ /wp-includes/(.*).php { deny all; }
location ~ /wp-admin/includes(.*)$ { deny all; }
location ~ /xmlrpc.php { deny all; }
location ~ /wp-content/uploads/(.*).php(.?) { deny all; }
配置文件/etc/nginx/conf.d/headers.conf:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-UA-Compatible 'IE=Edge,chrome=1';
add_header X-Processing-Time $request_time;
配置文件/etc/nginx/conf.d/pagespeed.conf:
pagespeed on;
pagespeed FileCachePath "/var/tmp/ngx_pagespeed_cache";
pagespeed LogDir "/var/log/pagespeed";
#to optimize images use: https://github.com/mikebrittain/Wesley
#pagespeed EnableFilters convert_gif_to_png;
#pagespeed EnableFilters insert_image_dimensions;
#pagespeed EnableFilters lazyload_images;
#pagespeed EnableFilters collapse_whitespace;
#pagespeed EnableFilters remove_comments;
#pagespeed EnableFilters flatten_css_imports;
#pagespeed EnableFilters insert_dns_prefetch;
#pagespeed EnableFilters extend_cache;
#pagespeed EnableFilters canonicalize_javascript_libraries;
pagespeed EnableFilters extend_cache;
pagespeed EnableFilters extend_cache_pdfs;
pagespeed EnableFilters combine_css;
pagespeed EnableFilters combine_javascript;
pagespeed EnableFilters move_css_above_scripts;
pagespeed EnableFilters insert_dns_prefetch;
pagespeed EnableFilters rewrite_images;
pagespeed EnableFilters prioritize_critical_css;
pagespeed EnableFilters rewrite_css;
pagespeed EnableFilters rewrite_style_attributes;
pagespeed EnableFilters convert_meta_tags;
pagespeed EnableFilters lazyload_images;
pagespeed EnableFilters collapse_whitespace;
#pagespeed EnableFilters move_css_to_head;
pagespeed EnableFilters remove_quotes;
pagespeed EnableFilters inline_css;
pagespeed EnableFilters inline_javascript;
pagespeed EnableFilters convert_gif_to_png;
pagespeed EnableFilters insert_image_dimensions;
pagespeed EnableFilters lazyload_images;
pagespeed EnableFilters collapse_whitespace;
pagespeed EnableFilters remove_comments;
pagespeed EnableFilters flatten_css_imports;
#pagespeed EnableFilters defer_javascript;
pagespeed EnableFilters rewrite_javascript;
#pagespeed UseExperimentalJsMinifier on;
pagespeed StatisticsLogging on;
pagespeed RetainComment "esi*";
# magento admin
pagespeed Disallow "*index.php/admin/*";
pagespeed Disallow "*/admin/*";
pagespeed Disallow "*/phpMyAdmin/*";
# configuration file /etc/nginx/conf.d/spider.conf:
# BLACKBOT
if ($http_user_agent ~* "360Spider|aiHitBot|Exabot|AhrefsBot|betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG|CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo|Default|DIIbot|DISCo|discobot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE|FlashGet|Findxbot|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack|ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot|JetCar|larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|lwp-trivial|Maxthon$|Mail.RU_Bot|MegaIndex.ru|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Microsoft|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage|Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch|Octopus|PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|PHPCrawl|PleaseCrawl|psbot|python-requests|RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler|SBIder|Scrapy|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|sitecheck.internetseer.com|SiteSnagger|SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap|tAkeOut|Teleport|Toata|TwengaBot|Typhoeus|URI::Fetch|User-Agent|voltron|Vagabondo|VoidEYE|webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE|zermelo|Zeus|Zeus.*Webster|ZyBorg")
{ return 444; }
配置文件/etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
#fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# magento
fastcgi_connect_timeout 65;
fastcgi_send_timeout 7200;
fastcgi_read_timeout 7200;
配置文件/etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /var/run/nginx.pid;
events {
worker_connections 2000;
multi_accept on;
use epoll;
}
http {
index index.html index.php;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ';
log_format error403 '$remote_addr - [$time_local] "$request"';
keepalive_timeout 5;
autoindex off;
server_tokens off;
port_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 64m;
## Flood protection example
limit_req_zone $binary_remote_addr zone=goeasy:25m rate=1r/s;
## Cache open FD
open_file_cache max=10000 inactive=3600s;
open_file_cache_valid 7200s;
open_file_cache_min_uses 2;
## Gzipping is an easy way to reduce page weight
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types application/javascript application/x-javascript text/javascript text/css;
gzip_buffers 16 8k;
gzip_comp_level 6;
## SSL global settings
#ssl_session_cache shared:SSL:25m;
#ssl_session_timeout 15m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5";
#ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/ssl/certs/dhparams.pem;
#ssl_stapling on;
#resolver 8.8.8.8 8.8.4.4 valid=3600s;
#resolver_timeout 5s;
## Use when Varnish in front
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
## Multi shop code configuration
#include /etc/nginx/conf.d/multishop.conf;
## Map status to exclude from access log
map $status $writelog { 404 0; 410 0; 444 0; default 1; }
## Main domain configuration
include /etc/nginx/sites-enabled/*.conf;
}
配置文件/etc/nginx/sites-enabled/default.conf:
server {
listen 80;
return 444;
}
#server {
# listen 443 ssl default;
# ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
# ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
# return 444;
#}
配置文件/etc/nginx/sites-enabled/magento.conf:
## Add www
server {
listen 80;
server_name WEBSITENAME.com;
return 301 $scheme://www.WEBSITENAME.com$request_uri;
}
server {
listen 80;
listen 443 http2 ssl;
#ssl on;
#Had issues with nginx sending only partial files
sendfile off;
server_name www.overnightsupplements.com;
root /var/www/html/overnight;
access_log /var/log/nginx/access_www.WEBSITENAME.com.log main if=$writelog;
error_log /var/log/nginx/error_www.WEBSITENAME.com.log error;
## Pagespeed module
include /etc/nginx/conf.d/pagespeed.conf;
## Bots trap
include /etc/nginx/conf.d/spider.conf;
## SSL CONFIGURATION
ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location = /js/index.php/x.js {
rewrite ^(.*.php)/ $1 last;
}
## Main Magento @location
location / {
try_files $uri $uri/ @rewrite;
}
## Server maintenance block.
#include /etc/nginx/conf.d/maintenance.conf;
## Error log/page
#include /etc/nginx/conf.d/error_page.conf;
## Export folder
include /etc/nginx/conf.d/export.conf;
## These locations are protected
location ~ /(app|var|includes|pkginfo)/ {
deny all;
}
## Extra protection and limits
include /etc/nginx/conf.d/extra_protect.conf;
## Images
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
access_log off;
add_header ETag "";
add_header Accept-Ranges bytes;
}
location @rewrite {
rewrite / /index.php?$args;
}
## Execute PHP scripts
location ~ .php$ {
include /etc/nginx/conf.d/headers.conf;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass 127.0.0.1:$port_switch;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
## Store code with multi domain
#fastcgi_param MAGE_RUN_CODE $mage_code;
#fastcgi_param MAGE_RUN_TYPE $mage_type;
include fastcgi_params;
}
}
当您说"前端"时,听起来像是指网站的公共部分,而对于"后端"部分,您指的是仅供管理员使用的网站区域。
在考虑了这种设计与"https-everywhere"之后,最终成为"https-everywhere"会更简单。原因如下:
- 当您的网站上有"http"和"https"之间的边界时,您必须管理该边界。跨越边界的所有链路都需要确保更改协议。
- 当不安全的资产加载到站点的安全部分时,"混合活动内容"的问题更有可能出现。
- 如果您的管理员在浏览网站的明文部分时可能仍然容易受到 Cookie 侧劫持攻击,如果浏览器仍在发回仅用于访问网站安全部分的 Cookie。
SSL证书很便宜,无论哪种方式,您都可以设置和管理一个。
因此,对重定向到HTTPS问题的第一个建议是继续通过HTTPS-everywhere。这是 HTTPS/2.0 网络的发展方向,因此它是很好的向前兼容规划。
其次,确保服务器过去没有使用 HSTS。如果它设置了"Strict-Transport-Security"标头,则浏览器可能已经缓存了它,并且立即切换到HTTPS,而无需与服务器进行检查。如果是这种情况,这将禁用 HSTS:
add_header Strict-Transport-Security "max-age=0;";